456809 – PolicyKit fails to authenticate.

Bug 456809 - PolicyKit fails to authenticate.

Summary: PolicyKit fails to authenticate.

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	PolicyKit
Sub Component:
Version:	9
Hardware:	All
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	---
Assignee:	David Zeuthen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-07-27 15:37 UTC by Feng Yu
Modified:	2013-03-06 03:56 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-07-28 17:37:37 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Feng Yu 2008-07-27 15:37:31 UTC

Description of problem:
Selinux denied PolicyKit to perform the Admin authentication.

Version-Release number of selected component (if applicable):

PolicyKit-0.8-2.fc9
selinux-policy-3.3.1-74.fc9
How reproducible:

Always
Steps to Reproduce:
1. System->Pref->System->authorizations
2. Click show authorizations from all users
3. Type in the root password
  
Actual results:
Failed to authenticate as the admin

Expected results:
A successful authentication

Additional info:
Source:  polkit-read-autSource Path:  /usr/libexec/polkit-read-auth-helper
Port:  <Unknown>Host:  xxxxxx.dhcpxx.xx.edu
Source RPM Packages:  PolicyKit-0.8-2.fc9
Target RPM Packages:  
Policy RPM:  selinux-policy-3.3.1-74.fc9
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall
Host Name:  x.x.x.edu
Platform:  Linux x 2.6.25.9-76.fc9.i686 #1 SMP Fri Jun 27 16:14:35 EDT 2008 i686
i686
Alert Count:  880
First Seen:  Thu 10 Jul 2008 11:25:40 PM EDT
Last Seen:  Thu 10 Jul 2008 11:30:46 PM EDT
Local ID:  90d6db55-6bf6-429e-8060-60c8421582a3
Line Numbers:  
Raw Audit Messages :
host=x type=AVC msg=audit(1215747046.897:1122): avc: denied { dac_override } for
pid=3970 comm="polkit-read-aut" capability=1
scontext=system_u:system_r:polkit_auth_t:s0
tcontext=system_u:system_r:polkit_auth_t:s0 tclass=capability 

host=x type=AVC msg=audit(1215747046.897:1122): avc: denied { dac_read_search }
for pid=3970 comm="polkit-read-aut" capability=2
scontext=system_u:system_r:polkit_auth_t:s0
tcontext=system_u:system_r:polkit_auth_t:s0 tclass=capability 

host=x type=SYSCALL msg=audit(1215747046.897:1122): arch=40000003 syscall=195
success=no exit=-13 a0=bff47e7c a1=bff47cd8 a2=7284ff4 a3=bff47e7c items=0
ppid=3882 pid=3970 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=87
sgid=87 fsgid=87 tty=(none) ses=4294967295 comm="polkit-read-aut"
exe="/usr/libexec/polkit-read-auth-helper"
subj=system_u:system_r:polkit_auth_t:s0 key=(null)

Comment 1 Feng Yu 2008-07-27 16:59:26 UTC

Message from polkit-gnome-authorization with a new user:

** (polkit-gnome-authorization:6763): WARNING **: Error: code=3: uid 501 is not
authorized to read authorizations for uid 501 (requires
org.freedesktop.policykit.read)

PAM version:
pam-1.0.1-4.fc9.i386

I changed it to high because the entire policy thing is not working at all.
It may be due to the misconf of my machine but I can't find any clue.


cat /etc/pam.d/polkit
#%PAM-1.0

auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

Comment 2 Feng Yu 2008-07-28 17:37:37 UTC

Not a bug. owner of /usr/lib/PolicyKit was mistakenly set to root:root.
Reinstalling PolicyKit with
yum reinstall PolicyKit 
solves the problem.

Note You need to log in before you can comment on or make changes to this bug.